Sign In

Communications of the ACM

[email protected]

Let's Teach Malware When It's Ready: The Purpose of Undergrad CS


Georgia Institute of Technology Professor Mark Guzdial

 In the February 2011 CACM, George Ledin, Jr. argues in his article The Growing Harm of Not Teaching Malware that we need to be teaching all CS undergraduates about malware. He bemoans that, because of the lack of such classes, "This means that we are matriculating computer scientists whose knowledge of malware is roughly on par with that of the general population of amateur computer users." He describes what should be going on in these classes:

On the technical side, teaching malware requires knowing viruses, worms, Trojans, and rootkits, which obligates teachers to have read their source code, which in turn requires them to have the ability to reverse the binaries, and the facility to launch, run, and infect machines on an isolated subnet. Having read a sufficiently large, representative sampling of historic malware source code then leads to formulating various generalizations to build a theory of malware that can be tested by writing derivative malware, new in a shallow sense but not necessarily innovative.

Why do we need such expertise in malware? Why can't we just fix the problem? Professor Ledin explains:

The reason we cannot solve the malware problem is simple: We don't have a theory of malware.

I don't have a problem with teaching malware in undergraduate computer science. I do argue strongly that it should be an elective, not a requirement. In the end, I disagree with Professor Ledin over a view of what an undergraduate degree in Computer Science is for.

First, an undergraduate degree is about learning how to think, not inventing new knowledge. Malware experts don't have a theory of malware. Professor Ledin would like undergraduates to invent a theory of malware. Perhaps the undergraduate students at Sonoma State University are much better than the ones I meet, but I don't think most undergraduates can invent a theory better than the existing experts.

Second, and more important to me, the purpose of an undergraduate degree in Computer Science is to teach students about Computer Science, not prepare them to be software professionals. I agree with Jeannette Wing when she wrote: "One can major in computer science and go on to a career in medicine, law, business, politics, any type of science or engineering, and even the arts." It's not at all obvious to me that knowing malware is a critical requirement for any of those careers. I am happy with my doctor, lawyer, businessman, or politician to have only a cursory understanding of malware. Sure, professional software developers should know about malware. It's a fallacy that an undergraduate Computer Science degree is about becoming a professional software developer.


Comments


Christopher Riesbeck

Wow, Mark. While we usually agree violently on educational theory, we appear to diverge greatly on what computer science should be. First, I don't see Jeannette Wing's computational thinking as defining computer science, but rather articulating a core skill in CS that is of value beyond the field. But a skill -- even a mode of thought -- does not suffice to define a field or curriculum. Second, I believe one of the worst things that can happen to any field is to separate its educational goals from helping students develop professional identities. And among those identities, along with researcher in AI or systems or graphics or theory, I most certainly include the professional software developer.


Mark Guzdial

Hi Chris! I agree that Jeanette's computational thinking article was defining CT not CS. But at the end of her piece, she talks about CS as being (in a sense) a "new liberal art" -- a field of study that could be preparation for any number of careers. I do agree with that perspective. Certainly, one of those careers could be software developer. I don't think that a CS degree REQUIRES a student to become a professional software developer, though. Requiring malware training for all CS majors implies a strong causal linkage between a CS degree and being a professional software developer. We want students to be able to pursue several different professional identities with a CS degree, where professional software development is an option, not a requirement.


Displaying all 2 comments